Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method for secure user authentication using a one-time password, comprising: storing, on a first computing device, a one-time password application; storing on a back-end server a valid personal identification number (PIN) value and a valid shared secret for the user; receiving entry on the first computing device of a purported PIN value of the user; dynamically synthesizing a purported shared secret on the first computing device by the one-time password application using the purported PIN value of the user, wherein no part of the valid PIN value is stored on the first computing device; generating a purported one-time password value on the first computing device based on the purported shared secret; receiving entry of the purported one-time password value by the back-end server in an attempt to log on the back-end server from a second computing device; calculating a time frame window of one-time password values by the back-end server and comparing with the one-time password value received; and allowing log on to the back-end server from the second computing device when a one-time password value in the window corresponds to the received one-time password value.
2. The method of claim 1 , wherein storing the one-time password application on the first computing device further comprises storing the one-time password application on one of a mobile phone, a PDA, a PC, a laptop computer, a hardware token, and an ATM.
3. The method of claim 1 , wherein storing the one-time password application on the first computing device further comprises storing an algorithm on the first computing device that employs a moving factor for generating successive different valid one-time password values responsive to receiving entry of the valid PIN value of the user.
4. The method of claim 3 , wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing an algorithm on the first computing device that employs an incrementing event counter that is synchronized with an incremental event counter on the back-end server for generating successive different valid one-time passwords responsive to receiving entry of the valid PIN value of the user.
5. The method of claim 3 , wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing the algorithm on the first computing device that employs a clock that is synchronized with a clock on the back-end server for generating successive different valid one-time passwords responsive to receiving entry of the valid PIN value of the user.
6. The method of claim 3 , wherein storing the algorithm on the first computing device that employs the moving factor further comprises storing the algorithm on the first computing device that employs both an incrementing event counter that is synchronized with an incrementing event counter on the back-end server and a clock that is synchronized with a clock on the back-end server for generating successive different valid one-time passwords in response to receiving entry of the valid PIN of the user.
7. The method of claim 6 , wherein storing the algorithm on the first computing device that employs both the incrementing event counter and the clock for generating successive different valid one-time passwords further comprises storing the algorithm on the first computing device that employs both the incrementing event counter and the clock for generating successive different valid one-time passwords within successive moving time windows in response to receiving entry of the valid PIN of the user.
8. The method of claim 1 , wherein storing the valid PIN and the valid shared secret for the user on the back-end server further comprises allowing the user to create the valid PIN in an interactive enrollment session between the user at the first computing device and the back-end server.
9. The method of claim 8 , wherein storing the valid PIN and the valid shared secret on the back-end server further comprises allowing the user at the first computing device to change the user's PIN in a succeeding interactive session between the user at the first computing device and the back-end server.
10. The method of claim 1 , wherein storing the valid PIN and the valid shared secret for the user on the back-end server further comprises storing a key for a cryptographic calculation for the user on the back-end server.
11. The method of claim 1 , wherein receiving entry on the first computing device of the purported PIN value of the user further comprises receiving entry on the first computing device of one of the valid PIN value of the user and an invalid PIN value.
12. The method of claim 1 , wherein dynamically synthesizing the purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user further comprises employing the purported PIN value as part of an algorithm process to dynamically synthesize the purported shared secret by the one-time password application.
13. The method of claim 1 , wherein dynamically synthesizing the purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user and generating the purported one-time password value on the first computing device based on the purported shared secret further comprises dynamically synthesizing a purported shared secret on the first computing device by the one-time password application based on the purported PIN value of the user and generating the purported one-time password value on the first computing device based on the purported shared secret regardless of whether the purported PIN value is the valid PIN value of the user.
14. The method of claim 1 , further comprising denying log on to the back-end server from the second computing device if the calculated window of one-time password values fails to correspond to the received one-time password value.
15. The method of claim 14 , further comprising blocking further log on attempts after a pre-determined number of denied attempts to log on to the back-end server.
16. The method of claim 1 , further comprising storing a web site verifier function of the one-time password application on the first computing device for generating a valid random challenge code on the first computing device responsive to receiving entry of the valid PIN value on the first computing device.
17. The method of claim 16 , further comprising storing a web site verifier function of the shared secret for the user on the back-end server for generating a valid response code responsive to receiving entry of the valid random challenge code from the second computing device when the random challenge code is valid.
18. The method of claim 17 , further comprising receiving entry on the first computing device of the purported PIN value and a selection of the web site verifier function on the first computing device.
19. The method of claim 18 , further comprising generating the random challenge code for mutual authentication of a web site for the user by the web site verifier function on the first computing device of the user.
20. The method of claim 19 , further comprising receiving entry of the random challenge code by the back-end server from the second computing device.
21. The method of claim 20 , further comprising cryptographically calculating the response code by the back-end server based on the random challenge code and displaying the calculated response code on the second computing device.
22. The method of claim 21 , further comprising receiving entry on the first computing device of the displayed response code and displaying an affirmative indicator on the first computing device if the entered response code corresponds to the generated random challenge code by the web-site verifier function on the first computing device.
23. The method of claim 1 , further comprising storing an email verifier function of the one-time password application on the first computing device for generating a valid response code on the first computing device responsive to receiving entry of the valid PIN value and a challenge code associated with an email message received on a second computing device.
24. The method of claim 23 , further comprising storing an email verifier function of the shared secret for the user on the back-end server for generating the valid response code responsive to receiving entry of the valid random challenge code from the second computing device when the random challenge code is valid.
25. The method of claim 24 , further comprising cryptographically calculating the random challenge code by the back-end server based on the shared secret value and including the calculated challenge code in association with an email.
26. The method of claim 25 , further comprising receiving entry on the first computing device of the purported PIN value and a selection of the email verifier function and the random challenge code associated with the email received on the second computing device.
27. The method of claim 26 , further comprising generating the response code for authenticating the email for the user by the email verifier function on the first computing device of the user.
28. The method of claim 27 , further comprising allowing the user to authenticate the email if the displayed response code corresponds to the response code generated on the first computing device.
29. The method of claim 1 , further comprising storing an update function of the one-time password application on the first computing device for initiating any of a token policy change, a one-time password algorithm change, and a parameter update responsive to receiving entry of an update code on the first computing device without requiring a change to the user's PIN value.
30. A computer system for secure user authentication using a one-time password, comprising: a first computing device storing a one-time password application; a back-end server storing a valid personal identification number (PIN) value and a valid shared secret for the user; the first computing device being programmed for receiving entry of a purported PIN value of the user; the first computing device being further programmed for dynamically synthesizing a purported shared secret on the first computing device using the one-time password application using the purported PIN value of the user, wherein no part of the valid PIN value is stored on the first computing device; the first computing device being further programmed for generating a purported one-time password value on the first computing device based on the purported shared secret; the back-end server being programmed for receiving entry of the purported one-time password value by the back-end server in an attempt to log on the back-end server from a second computing device; the back-end server being further programmed for calculating a time frame window of one-time password values by the back-end server; and the back-end server being additionally programmed for allowing log on to the back-end server from the second computing device when a calculated one-time password value in the window corresponds to the received one-time password value.
Unknown
April 7, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.